On January 10, the Federal Trade Commission’s final rule, amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA), became effective. We wrote about the final rule when it first published in October 2021 (see here). As a practical matter, the amendments will likely require many financial institutions to revisit and revise their policies and procedures, including, for example, in the areas of risk assessments, vendor oversight, and incident response plans.

To refresh, the final rule, among other things:

  • Expands the definition of ”financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities, which notably brings ”finders” — companies that bring together buyers and sellers of a product or service — within the Safeguards Rule’s scope.
  • Adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring (1) designation of a specific qualified individual responsible for overseeing and implementing the information security program, (2) risk assessments, and (3) periodic reports to boards of directors or governing bodies.
  • Adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as (1) encryption of customer information over external networks and at rest, (2) multifactor authentication, and (3) secure disposal of customer information; and
  • Exempts financial institutions that collect customer information from fewer than 5,000 consumers from certain requirements.

While the amended Safeguards Rule became effective on January 10, the following provisions do not become effective until December 9, 2022:

  • The requirement to designate a qualified individual;
  • The specific requirements for written risk assessments (please note that the requirement to perform risk assessments is effective now — only the criteria mandated by the final rule are not yet effective);
  • The specific requirements related to implementation of safeguards based on risk assessments, which include the provisions on encryption and multifactor authentication;
  • The requirement that “information systems” undergo continuous monitoring or periodic penetration testing and vulnerability assessments;
  • Training and operational requirements for security personnel;
  • The requirement to perform periodic assessments of service providers;
  • The requirement to establish a written incident response plan to respond to and recover from security events materially affecting the confidentiality, integrity, or availability of customer information; and
  • The requirement that the qualified individual’s periodic reports be given in writing, regularly and at least annually, to the board of directors.

As noted above, the breadth of parties considered to be “financial institutions” subject to the Safeguards Rule has become broader. Among others, entities are subject to the Safeguards Rule if they engage in the following:

  • Traditional banking functions;
  • Making, acquiring, brokering, or servicing loans or other extensions of credit;
  • Real estate and personal property appraising;
  • Collection agency services;
  • Credit bureau services;
  • Asset management, servicing, and collection activities;
  • Leasing personal or real property;
  • Real estate settlement servicing; and
  • Bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

Affected entities should be proactive in implementing the significant operational requirements of the revised Safeguards Rule. The requirements are not light lifts, and the countdown clock to compliance is ticking

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of James Stevens James Stevens

James Stevens provides general corporate and regulatory advice to our clients. James has substantial experience in the representation of public and private companies, including financial institutions, marketplace lenders and other FinTech and financial services companies, in mergers and acquisitions, securities offerings and regulatory…

James Stevens provides general corporate and regulatory advice to our clients. James has substantial experience in the representation of public and private companies, including financial institutions, marketplace lenders and other FinTech and financial services companies, in mergers and acquisitions, securities offerings and regulatory reporting and compliance. He often serves as the principal outside counsel for these clients.

Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield is a partner in the firm’s Consumer Financial Services practice, with a focus on Financial Services Litigation and consumer law compliance counseling. Alan has represented businesses in many venues nationally in class action and individual consumer litigation. Alan’s practice includes compliance…

Alan Wingfield is a partner in the firm’s Consumer Financial Services practice, with a focus on Financial Services Litigation and consumer law compliance counseling. Alan has represented businesses in many venues nationally in class action and individual consumer litigation. Alan’s practice includes compliance counseling to help businesses with the myriad federal and state consumer protection laws and laws regulating financial services companies.

Photo of Chris Capurso Chris Capurso

Chris’ practice focuses on consumer financial services law, primarily on federal and state law compliance matters. Chris regularly advises financial institutions, lenders, and sales finance companies in the development and maintenance of closed-end and open-end lending, automobile finance, fintech, point-of-sale, small dollar, and…

Chris’ practice focuses on consumer financial services law, primarily on federal and state law compliance matters. Chris regularly advises financial institutions, lenders, and sales finance companies in the development and maintenance of closed-end and open-end lending, automobile finance, fintech, point-of-sale, small dollar, and other credit programs. He provides guidance on federal consumer protection laws and regulations, including TILA, ECOA, ESIGN, and GLBA.